blob: 913b870746cbb3142035a5ddb46a02cea752cc13 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
#!/bin/bash
set -eu
echo "* Checking logcheck rules"
# tell rsyslog to output to a file other than /var/log/syslog to isolate
# rsyslog messages. nb that rsyslog.service is hardened so this file
# cannot be in /tmp (#1053898)
cat > /etc/rsyslog.d/rsyslog-logcheck.conf <<EOF
:programname, contains, "rsyslog" /var/log/test-rsyslog-syslog.log
EOF
: > /var/log/test-rsyslog-syslog.log
echo "** Starting and stopping rsyslog"
# if rsyslog is already running then merely doing 'start+stop'
# will not reload the new config
systemctl stop rsyslog 2>&1 #(redirect stderr becuase systemd tells us that syslog.socket will restart rsyslog)
systemctl start rsyslog
systemctl stop rsyslog 2>&1
echo "** rsyslog generated the following lines in syslog:"
cat /var/log/test-rsyslog-syslog.log
if [ ! -s /var/log/test-rsyslog-syslog.log ]; then
echo >&2 "ERROR: rsyslog produced no syslog entries (in /var/log/test-rsyslog-syslog.log) at all"
echo "/var/log/syslog contained:"
cat /var/log/syslog
fi
echo "** rsyslog generated the following lines in the systemd journal:"
journalctl --since=-5min _COMM=rsyslogd \
| tee /tmp/test-rsyslog-journal.log
if [ ! -s /tmp/test-rsyslog-journal.log ]; then
echo >&2 "ERROR: rsyslog produced no journal entries at all"
fi
echo "** Running logcheck"
# check both syslog and journal lines with logcheck
# no need to change config, but set -o and hide state and logfiles-list-directory
cat > /tmp/logcheck.logfiles <<EOF
/tmp/test-rsyslog-journal.log
/var/log/test-rsyslog-syslog.log
EOF
mkdir /tmp/logcheck.state
chown logcheck:logcheck /tmp/logcheck.state
chmod 0750 /tmp/logcheck.state
# nb: su is used because logcheck refuses to run as root
# nb: add '-d' option to logcheck if you need to debug
su -s /bin/bash -c "/usr/sbin/logcheck -L /tmp/logcheck.logfiles -S /tmp/logcheck.state -D /dev/null -o" logcheck \
| tee /tmp/test-rsyslog-unmatched
# result should be empty
if [ -s /tmp/test-rsyslog-unmatched ]; then
echo >&2 "* FAIL: unmatched lines - logcheck rules may need updating"
else
echo "* OK: no unmatched lines"
fi
cat /tmp/test-rsyslog-unmatched
rm -rf \
/etc/rsyslog.d/rsyslog-logcheck.conf \
/tmp/logcheck.state /tmp/logcheck.logfiles \
/tmp/test-rsyslog-journal.log \
/var/log/test-rsyslog-syslog.log \
/tmp/test-rsyslog-unmatched
|
